[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fixing glib2.0 CVE-2024-34397 in buster



Hello Simon,

Markus (apo) claimed the package yesterday after your message.

For clarity I'm CC:ing him here, and I added a note in data/dla-needed.txt.
https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dla-needed.txt

Also, thanks for the testing procedure :)

Cheers!
Sylvain Beucler
Debian LTS Team

On 10/05/2024 17:02, Simon McVittie wrote:
Please cc either me or the glib2.0 package's address on any replies that
are relevant outside the LTS team: I am not subscribed to -lts.

Normally I don't attempt to support any packages in the LTS distributions,
but for glib2.0 I was the author of the original CVE fix and it turns
out that I might need a buster-compatible version of it for my day job,
so I've done a prototype backport to buster:
https://salsa.debian.org/gnome-team/glib/-/merge_requests/39
(git fetch https://salsa.debian.org/gnome-team/glib wip/cve-2024-34397/buster)

This incorporates:

* the original CVE fixes developed under embargo and released to bookworm
   and bullseye as DSA 5682-1, to unstable as 2.80.0-10, and to Ubuntu
   (the version used here is very similar to the one in bullseye, but with
   even more conflict resolution)

* automated test coverage for the CVE fix, released in the same versions
   as above (again the version used here is very similar to the one in
   bullseye, with minor adjustments to avoid requiring newer APIs)

* a fix for a serious regression in ibus introduced by the CVE fixes,
   released to bookworm and bullseye as DSA 5682-2, to unstable in 2.80.1-1,
   and to Ubuntu

* a fix for a minor/rare memory leak introduced by a prerequisite patch
   backported as part of the CVE fixes (see #1070851), released to unstable
   in 2.80.2-1 but not yet fixed in bookworm/bullseye or Ubuntu; this seems
   low-risk, but can be dropped/reverted if it makes the LTS team unhappy

Please could whoever handles this in the LTS team take over review/testing
from this point, and let me know if there are any problems?

In the newer suites, this update was accompanied by a fix for gnome-shell,
in which screencasting/screen-recording would have regressed after fixing
the vulnerability. In buster, my understanding is that this will not be
necessary, because GNOME Shell 3.30.x is too old to have had the relevant
bug; but I have not tested a full buster system.

I would recommend testing:

* build-time tests

* autopkgtest

* general use of GNOME

* gnome-shell: whatever screen recording or screencasting functionality was
   present in buster, if any (I don't remember what was offered in 3.30.x)

* ibus: Compose key, dead keys, and ideally non-Latin input
   (e.g. Japanese with mozc)

Thanks,
     smcv


Reply to: